issues icon indicating copy to clipboard operation
issues copied to clipboard
verified publisher icon twitchdev

No Cross Origin Resource Policy on the Extension JS Helper

Open BarryCarlyon opened this issue 3 years ago • 2 comments

Brief description

One of the upcoming CSP headers is Cross-Origin-Opener-Policy It's not currently enabled on the JS Helper to allow it to be included.

This is only an issue if the Developer misconfigures their test. And if Twitch enables it on Hosted/release test and doesn't update the CDN the JS helper is served from as well.

How to reproduce

Enable Cross-Origin-Opener-Policy header on your extension test that provides a server to load content from and provides CSP headers.

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

Screenshots

From the alert shown in the console when clicking on the twitchJS Helper in the network tools tab:

image

Additional context or questions

Generally this is only (currently) an issue for developers whom msiconfigure their test environements. As some libraries that provide CSP headers are changing their defaults

BarryCarlyon avatar Jan 12 '22 15:01 BarryCarlyon

This issue also effects embeds!

image

BarryCarlyon avatar Jan 17 '22 15:01 BarryCarlyon

Also applies to player.twitch.tv interactive players image

Lordfirespeed avatar Oct 27 '24 14:10 Lordfirespeed